From patchwork Tue Mar 28 11:48:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6733 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Pm7J144qGz3xD5 for ; Tue, 28 Mar 2023 11:49:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Pm7Hv5TtRz1tf; Tue, 28 Mar 2023 11:48:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Pm7Hv1STQz30K0; Tue, 28 Mar 2023 11:48:59 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Pm7Hs5FPPz2yjv for ; Tue, 28 Mar 2023 11:48:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Pm7Hs1Z91zLB; Tue, 28 Mar 2023 11:48:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1680004137; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bE5llH6DfvhkA0t/YxbiAc1frA45WxBLjKRcdeWvfKo=; b=vyPQ93KdKm7c6kBhiB5/h8lVioqgjDU4hW+Ea0wMn2npk8tyBcvpKyYB02jG9XFB828SvV /R5SeKJZwisuouBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1680004137; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bE5llH6DfvhkA0t/YxbiAc1frA45WxBLjKRcdeWvfKo=; b=cAv6LiGq9MVdgbczoQ290bBhXk0ATAxSceXNRuPUagRwxSrauQpCdkd1V042EX4mrGBlQN guyZXpGcIsuaykd10KKRaVaVkrWFgNxgA5M+O6W0nGgmjloCxm4N5Aae/aLkLYXxgXZCfO zlNK2oFgtYhDnL/N5vyxL0Sp3RHYfm+9f8ahRgbu6txSxAkyjTBWJmwsx6ZYZ2bt7jgs55 jMqbx0kyR0EAlXRjvi5jp6q1wd/eCDj77QU6dGqkhqisupM4IwtzjNkbyPb/15SlmQW/kY m14fCb7r+0YKBlIPD3eNLDaaKqyfxP0omeaLg4XNwyRpBlYOlwIBmtRDATVWrw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] amazon-ssm-agent: Update to version 3.2.582.0 Date: Tue, 28 Mar 2023 13:48:49 +0200 Message-Id: <20230328114852.2492895-3-adolf.belka@ipfire.org> In-Reply-To: <20230328114852.2492895-1-adolf.belka@ipfire.org> References: <20230328114852.2492895-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 3.0.356.0 - Update of rootfile not required - Changelog 3.2.574.0 - Fixed go-vet issues by passing mocks by value - Updated domainjoin and cloudwatch executables for windows 3.2.532.0 - Removed explicit setting of EC2 aws credential profile - Added public key to registration info - Sends non-interactive command errors that occur before command execution to data channel - Added instance id verification to registration process 3.2.419.0 - Added minimum retry sleep for Registrar RegisterManagedInstance calls - Explicitly skip AZ info check for on-prem and ECS targets - Fix for SSM-Agent that is unable to start on Apple Mac M1's (mac2.metal instances) - Ensuring powershell path is set to system directory on Windows - Load DLLs with using system/absolute paths on Windows - Added workaround for Samba limit when loading Active Directory ids - Dynamically get network interface name for SeamlessDomainJoin - Added install-yum-rpm to makefile to install agent on host from source code - Added logging for specifying credential source - Refactored tests to remove mocks from production binaries - Updated Windows DomainJoin plugin SharpZipLib and Newtonsoft.json dependencies 3.2.345.0 - Updated yaml.v3 dependency 3.2.286.0 - Separated EC2 identity vault manifest from OnPrem identity vault manifest - Fix for credential retrieval blocking os termination signals - Fix for agent updater using shared credentials on EC2 - Added guards against panic for agent identity health checks - Added logging around agent module start/stop 3.2.183.0 - Added logging when assuming identity - Increased retries to ECS metadata endpoint - Added linux debug build to makefile - Implemented aws sdk logging interface - Updated agent minor version to 3.2 - Added functionality to retrieve agent credentials from Systems Manager on EC2 3.1.1927.0 - Update shell for Session Manager on MacOS 3.1.1856.0 - Lower message length threshold for cloudwatch log streaming - Ran gofmt and goimports with golang version 1.19 - Report AvailabilityZone and AvailabilityZoneId in health pings - Update AWS Go SDK to v1.44.78 3.1.1767.0 - Fix samba configuration for sub-domains 3.1.1732.0 - Add code in document/session worker to fallback to default identity selector when runtime config not present - Fix to handle command-line-arguments in document/session worker when launched by old agent workers 3.1.1634.0 - Fallback to file based IPC if named pipe creation times out - Increase tls handshake timeout in http download client - Log mds client timeout errors as WARN 3.1.1575.0 - Added separate metric for snapd running apps failure during update - Fixed idle session timeout with smux keep alive configuration based on CLI version - Updated AgentTaskComplete message retry - Updated go version to 1.18.3 3.1.1511.0 - Collect kernel version in InstanceDetailedInformation - Support separate output stream for non-interactive session - Cleanup default log group name for runcommands - Updated rpm spec file to include build id 3.1.1476.0 - Fix port session premature close when local server is not connected before timeout 3.1.1446.0 - Add created date to AgentJobAck message - Disable smux keep alive to use idle session timeout feature - Fix unit-tests running on windows 3.1.1374.0 - Added timeout for s3 HEAD requests - Added vpc address deny to port forwarding - Fixed for reboot scenario in configure package plugin - Fixed goroutine leak in seelog library - Fixed nullpointer segmentation fault in configure package plugin - Improved error handling in manifest download in updater - Improved worker initialization to improve startup failure logging 3.1.1260.0 - Added missing check for invalid S3 path parameter - Added support for domain join using a non-local username - Fixed broken links in README.md - Fixed ECS Exec issue where agent was using environment variables for credentials - Updated Ec2Detector test to query smbios directly for system information 3.1.1208.0 - Updated ec2detector module to use Get-CmiInstance instead of wmic.exe - Fixed file creation mode of ssm-agent-users sudoer file 3.1.1188.0 - Added new ec2detector module to determine if agent is on EC2 - Added support for port forwarding to remote host - Added quotes around inventory parameter ValueName on Windows - Fix for domain join DNS IP assignments in shared directories - Replaced namedpipe updater test with ec2detector test 3.1.1141.0 - Add application inventory by file for Bottlerocket - Fix infinite retry logic to send failed replies in MGSInteractor - Remove usage of io/fs package 3.1.1080.0 - (windows only) Remove symlink scan during update 3.1.1045.0 - Fixed sourceHash validation for aws:application document plugin - Added document parameter validation for values passed to target document of aws:runDocument plugin - (windows only) Fix process leak when legacy cloudwatch plugin is enabled - (windows only) Fail installation if C:\ProgramData\Amazon\SSM\ has symlinks 3.1.1004.0 - Added platform detection for Bottlerocket OS - Consolidated regional endpoint generation to common endpoint module 3.1.941.0 - Added support for Rocky linux - Fixed sharefile/shareprofile not being propagated to updateutil - Fixed incorrect darwin platform detection post BigSur - Fixed log flush issue in updater - Updated .NET dependencies for domainjoin and cloudwatch (windows only) - Updated go version to 1.17.6 3.1.821.0 - Implement new core module named MessageService to start processing commands from both MGS and MDS - Merge functionalities from RunCommandService core module and Session core module. - Receive run command documents through MGS if connected and fallback to MDS otherwise. This functionality requires appropriate permissions for both endpoints and will be rolled out gradually to end users. - Provide filesystem based idempotency check to avoid duplicate run command document execution. - Increase default run command pool buffer size from 1 to 5 to load additional documents before-hand for processing. - Fix nil pointer deference panic produced in named pipe test case during agent update - Remove StopType concept in ssm-agent-worker and add different waits for reboot and shutdown stop 3.1.804.0 - Add support for upstart when running get-diagnostic command using ssm-cli - Fix systemctl service name to support older versions of systemctl - Include changes to facilitate testing - Update DNS server selection logic for seamless domain join on linux and darwin - Update go version to go1.17.5 - Update golang sys package dependency 3.1.715.0 - Derive default directories from appconfig on Darwin - Set x-bit on newly-created directories 3.1.634.0 - Fix for ssm-setup-cli to be able to select service manager without the agent being installed 3.1.630.0 - Added greengrass component recipe for the new SystemsManagerAgent component - Added support for registering agent on a greengrass device - Added support for downloading more than 1000 objects in downloadContent - Fixed retry logic for onprem and s3 upload - Fixed unit tests when running on Mac - Update AWS SDK to v1.41.4 - Update logic to retrieve platform details for Rocky Linux 3.1.501.0 - Add diagnostics command to ssm-cli - Fix caching for onprem credentials - Additional configuration options for Seamless Domain Join - Gracefully exit session if group of runas user is modified - Skip retries for cert validation errors in S3 HEAD requests - Fix DNS failures on CentOS 8.2 - Update several dependencies 3.1.459.0 - Fixed a bug with powershell command for Inventory 3.1.426.0 - Fixed cpu spike issue manifesting on snap - Fixed issue with version comparison in EC2Config update plugin - Fixed panic when command output was being truncated - Updated build to use go1.16.8 - Removed Profile from inventory powershell commands on Windows 3.1.338.0 - Fix to eliminate WaitGroup reuse panic triggered during agent reboot - Fix to include applications without UninstallString in Inventory for Windows - Fixed a bug where multi-plugin documents with large outputs would timeout RunCommand - Fixed a bug where RunCommand could delay executions for up to 15 minutes 3.1.282.0 - Add serial port logging of AwsNitroEnclaves package version on windows during startup - Allow usage of existing loggroup/logstream when the user does not have create permission - Change service interrogate request log to debug - Cleanup old surveyor channel files on startup - Fix filehandle leak in windows leading to agent going offline - Fix to schedule correct next run time during orchestration directories cleanup - Fix to sequentially update correct runcount value in the document bookkeeping file - Fix a bug with version parsing EC2Config updater - Updated rpm packaging for fips compliance 3.1.192.0 - Added darwin arm64 to makefile - Added logic to limit orchestration directory cleanup - Added packaging for public SSM Agent container image - Fixed cloudwatch endpoint for telemetry metrics requests - Fixed handling of Windows filepaths and mutex locks - Fixed agent worker handling of OS signals and termination channel requests - Updated datachannel retry strategy to not retry for a specific error scenario - Updated default gomaxproc value for Windows - Update build to use go1.16.6 3.1.127.0 - Added a workaround for windows random halts - Fixed race condition during reboot document execution 3.1.90.0 - Updated to version 3.1 - Updated build to build statically linked binaries for linux 64bit - Minimum supported linux kernel version for linux 64bit is 3.2+ - Fixed permissions for docker config file - Fixed issue with ubuntu prerm and postinst scripts - Fixed issue where processor stop was being called twice 3.0.1390.0 - Added config option to delete orchestration folder - Added snapcraft packaging config - Added workaround for aws:runDocument status bug - Added improved handling of file closure - Added support for go mod and updated build to use go 1.16.4 - Fixed bug parsing vpce s3 urls - Refactored use of agent identity in agent cli - Updated check if agent is running as windows service - Updated handling of session cancellation to still send output to client side - Updated interactive session exit code logic to match non-interactive mode - Updated vendor dependencies 3.0.1295.0 - Added configurable custom identity and identity consumption order - Added cross-account domain join - Added cleanup for older versions of updater artifacts - Added a workaround for MacOS kernel bug that sometimes kept RunCommand from launching - Added a workaround for log file contention on Windows - Added synchronization to RunCommand service stop - Changed hibernation log level - MacOS executables are now signed - Removed delay in non-interactive session type 3.0.1209.0 - Fixed issue where registration file is not removed when registration is cleared - Removed unnecessary CloudWatch Log api calls - Added support for IMDSv2 in Windows AD domain join plugin 3.0.1181.0 - Added support for digest authorization in downloadContent plugin - Added missing defer close for windows service in updater - Added support to disable onprem hardware similarity check - Fixed windows random halts issue - Refactored windows startup - Refactored task pool to dynamically dispatch goroutines 3.0.1124.0 - Added a check for broken symlink after update - Added support for NonInteractiveCommands session type on Linux and Windows platforms - Added lint-all flag to makefile - Changed Inventory plugin billinginfo to use IMDSv2 - Fixed indefinite retries for ResourceError during CWLogging - Fixed go vet call in checkstyle.sh - Fixed inter process communication log line - Fixed a bug where CloudWatch logs were not being uploaded - Fixed timer and goroutine leaks - Fixed an issue where document workers on Windows were not exiting 3.0.1031.0 - Added test-all flag to the makefile - Added support for onprem private key auto rotation - Added config to remove plugin output files after upload to s3 - Added update precondition for upcoming 3.1 release - Fixed cloudwatch windows where TLS 1.0 is disabled - Fixed document cloudwatch upload when CreateLogStream permissions were missing left instances stuck in terminating - Fixed domain join windows EC2 instances where TLS 1.0 is disabled - Fixed domain join script for .local domain names - Fixed domain join script to exit when domain is already joined - Fixed panic issue in windows startup script when executing powershell command - Fixed session manager issue on MacOS for root and home path - Removed IMDS call in domain join script - Refactored update plugin and updater interaction 3.0.882.0 - Added jitter to first control channel call - Added dedicated folder for plugins - Added option to overwrite corrupt shared credentials 3.0.854.0 - Added $HOME env variable for root user when runAsElevated is true in session - Added CREAD flag in serial port control flags on linux - Added PlatformName and PlatformVersion as env variables for aws:runShellScript - Added support for macOS updater - Added v2.2 document support in updater - Added defer recover statements - Fixed inventory error log when dpkg is not available - Fixed ssm-cli logging to stdout - Removed consideration of unimportant error codes in service side - Updated ec2 credential caching time to ~1 hour - Updated service query logic for Windows - Updated golang sys package dependency 3.0.755.0 - Fix fallback logic for MGS endpoint generation - Fix regional endpoint generation 3.0.732.0 - Fix bug in document parameter expansion - Fix datachannel to wait for empty message buffer before closing - Fix for hung Session Manager sessions - Fix for folder permission issue in domain join - Refactor identity handling - Update session plugin to pause reading when datachannel not actively sending data - Update ssm-user creation details in README.md 3.0.655.0 - Add feature to retain hostname during domain join - Add delay to pty start failure for session-worker - Add nil pointer check on shell command for session-worker - Add shlex to vendor which is used to parse session interactive command input for session-worker - Change log level for IPC not readable message - Change v2 agent to use v3 agent executor - Fix network connectivity issues on RHEL8 - Fix race condition where first message is dropped when session plugin's message handler is not ready - Fix file channel protocol test cases - Fix blocking http call when certificates are not available - Move aws cli installation out of /tmp for domain join plugin - Update boolean attributes in Session Document to accept both string and bool values - Upgrade vendor dependencies and build to use go1.15.7 3.0.603.0 - Added instruction to README.md for getting the latest version of SSM Agent in a specific region - Fix for PowerShell stream data being executed in reverse order - Fix to create update lock folder before creating update locks - Fix to reset ipcTempFile properties at the end of session 3.0.529.0 - Fix for encrypted s3 bucket upload 3.0.502.0 - Add agent version flag to retrieve agent version - Add onFailure/onSuccess/finallyStep support for plugins - Add SSE header for S3 Upload - Add SSM Agent support in MacOS - Extend use of default http transport - Fix for Agent not aquiring new instance role credentials after EC2 hibernation - Fix for shell profile powershell commands not being executed in the expected order - Fix to delete undeleted channel while using reboot document - Fix to consider status of all plugin steps in document after system restart - Fix bug capturing rpm install exit code - Handle sourceInfo json sent from CLI in downloadContent plugin - Optimize agent startup time by removing additional wait times - Refactor makefile - Replace master branch with mainline branch - Upgrade aws-sdk-go to latest version(v1.35.23) 3.0.431.0 - Use DefaultTransport as underlying RoundTripper for S3 access 3.0.413.0 - Add additional checks and logs to install scripts - Add retry logic to handle ssm document during reboot - Add dockerfile to build agent - Add script to package binaries to tar - Change default download directory on Linux to /var/lib/amazon/ssm - Extend SSM Agent ability to execute from relative path and use custom certificates - Fix IP address parsing in domain join plugin - Fix self update logging - Log fingerprint similarity check failures as ERROR and each changed machine property as WARN - Prefix ecs target id with 'ecs:' - Prefer non-link-local addresses to show in Console - Use IMDSv1 after IMDSv2 Signed-off-by: Adolf Belka --- lfs/amazon-ssm-agent | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/amazon-ssm-agent b/lfs/amazon-ssm-agent index 451dfa9cf..bc19b30ee 100644 --- a/lfs/amazon-ssm-agent +++ b/lfs/amazon-ssm-agent @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2019 IPFire Team # +# Copyright (C) 2019-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Amazon Remote System Config Management -VER = 3.0.356.0 +VER = 3.2.582.0 SUP_ARCH = aarch64 x86_64 THISAPP = amazon-ssm-agent-$(VER) @@ -35,7 +35,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = amazon-ssm-agent -PAK_VER = 7 +PAK_VER = 8 DEPS = @@ -51,7 +51,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = cd30fe1931c02ff5d969ef19152d4f4a8f5883ab6952fa05eb0878526ed02c949afac36c0d363bc37c54594baf9fd96002d30605d9d687e36c8f0e9acb69148b +$(DL_FILE)_BLAKE2 = df2c6111d0c3e941773c5657b199d414435742b20187788b4b07253f67ba0c54ce42e6c62851fba26635b01226b1e1a3e8b4db1f3b3b983323fe764f12c19ddc install : $(TARGET)